from the follow-the-leader dept

With Steam's policy for providing refunds on digital game purchases being roughly two years old, many people forget the context of the time when Valve began offering those refunds. It's worth being reminded that at that time nobody in the neighborhood of the Steam client's popularity was offering any real avenue for getting refunds on digital game purchases. Those that did mostly did so under the most restrictive conditions, with insane single-digit day windows in which a refund could be had, and only for certain reasons, of which the game being shitty was not included. Steam's criteria was that you could request a refund during a two-week period for any reason, be it the game not living up to expectations, the gamer's machine not being able to run it properly, or anything else. The other contextual aspect to keep in mind was that Steam had endured several weeks of absolutely brutal PR, with awful customer service ratings and the whole fiasco over its attempt at creating a paid-mod system.

Still, Valve broke the mold in some respects with the new policy, forcing the competition to keep up. It took two years, but Microsoft recently announced that both its Xbox and Windows 10 marketplaces will likewise offer refunds on digital purchases, with the same fourteen-day window and the same requirement that the game not have been played for more than two hours.

Microsoft's self-service refunds work much like returns do on PC game-download service Steam. Shoppers have up to 14 days after purchasing a game or app to request a refund, and that will only work if the software in question has not been used for more than two hours while owned. Similar to Steam, Xbox and Windows 10 users will have to navigate to an "order history" section of their account to request such a refund, rather than any obvious tabs or buttons within a given game or app's landing page. However, this can only be done through a Web browser pointed to account.microsoft.com, as opposed to the Xbox One or Windows Store dashboards.

It's Microsoft, so of course it would have to be more complicated than it should be, but this is still a good and important step. For far too long, digital purchases for all kinds of goods -- video games included -- were viewed as somehow different from a consumer rights standpoint than a physical product. This sense of difference propagates itself in many directions, but the ability to get refunds on products was certainly one of them. It's far past time that the fake wall that's been erected between digital goods in terms of consumer rights had some bricks pulled from it, and these refund policies are a good start.

They also serve to show how the competition will respond when one company begins treating its customers well, which is essentially to play follow the leader. You can bet that all eyes are now on the PlayStation Network to see exactly how long it will take for Sony to keep up with the competition.

In the post accompanying the disclosure, Microsoft points out the USA Freedom Act is the only reason it's been able to release the NSL. This is one of the benefits of the recent law: a better, faster way to compel review of NSL gag orders, which used to take place almost never.

In addition, Microsoft notes FISA orders are on the rise. Of course, its reporting is limited to useless "bands," so the only thing that can definitely be determined is Microsoft's FISA interactions have at least doubled.

What's included in the NSL is more of the same: demands for subscriber info backed solely by the authority of the FBI agent who typed it up. No judicial approval needed. What isn't in there are demands for a bunch of info the FBI has no business asking for, like in those served to Yahoo. In one of Yahoo's NSLs, the government demanded the service provider go above and beyond statutory requirements and hand over everything from subscriber phone numbers to "upstream providers" associated with the named account.

It also contains the old, pre-USA Freedom Act boilerplate about challenging the gag order -- something the FBI continued to append to post-USA Freedom Act NSLs until the Internet Archive shamed it into admitting it was using outdated language.

Going forward, the government should expect the challenges to continue. Microsoft notes it's currently in court contesting the feds' increasing use of gag orders -- something it justifies using a law meant to protect the privacy of electronic communications: the ECPA.

The trickle of un-gagged NSLs is encouraging. Even if the releases trail far behind issuances (both in number and elapsed time), the fact that we're seeing any at all remains a small miracle. If service providers are enjoying these very occasional forays out from under gag orders, they might want to consider sending a few fruit baskets Snowden's way.

from the menu-driven-God-Mode dept

The Shadow Brokers -- having failed to live up to half their name -- released more NSA exploits last week when it became apparent no one was willing to purchase the exploits from them. This dump was far more interesting than previous releases, as it contained a large number of Windows exploits and -- for some -- a very handy, easy-to-use front end for malware deployment.

This dump probably ruined a few Easter weekends at Microsoft, but not nearly as many as was first presumed. While the exploits targeted older versions of Windows, they would have caused trouble for government and corporate networks still relying those versions. Those targeting unsupported versions are the most dangerous, as those holes will never be patched. They're also the ones with the smallest user bases, so that mitigates the damage somewhat.

That’s a critical detail for the debate going on on Twitter and in chats about how shitty it was for SB to release these files on Good Friday, just before (or for those with generous vacation schedules, at the beginning of) a holiday weekend. While those trying to defend against the files and those trying to exploit them are racing against the clock and each other, it is not the case that the folks at NSA got no warning. NSA has had, at a minimum, 96 days of warning, knowing that SB could drop the files at any time.

The big question, of course, is whether NSA told Microsoft what the files targeted. Certainly, Microsoft had not fully responded to that warning, as hackers have already gotten a number of these files to work.

Unlike the CIA dump happening at Wikileaks, the NSA had a pretty good idea what was contained in the Shadow Brokers stash. Microsoft, however, says it was never contacted by the NSA or "any agency" about the exploits ahead of their release.

Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched.

The most interesting patch on the list is MS17-010, released March 14th. It patched several remote code execution holes in older Windows versions. These patches weren't applied to test machines, resulting in the mistaken conclusion these vulnerabilities hadn't been fixed.

But the patch notes say nothing about whodisclosed the vulnerabilities, which makes it an anomaly. Microsoft's denial, combined with its blank "acknowledgements" page, suggests the NSA itself warned the company about the vulnerabilities. It seems unlikely Shadow Brokers would have given Microsoft a heads up, as it hadn't warned any other affected vendor up to this point.

If so, the Vulnerabilities Equity Process sort of works. I mean, the NSA held onto these as long as it could, but finally informed the affected party when it became apparent it might have to share its "exclusive" exploits with the rest of the world. Better late than never, and certainly better when delivered ahead of a very public disclosure.

What's in the latest dump is now mostly useless. But not completely useless. There are still plenty of machines running older Microsoft software that are still vulnerable, many of them possessed by corporations and government agencies. If the software is old enough, the security holes are permanent.

Not that those with the latest and greatest should rest easy. The NSA hasn't stopped producing and purchasing exploits. The SB stash was a few years old. Current Microsoft software remains under attack from state intelligence agencies and criminals. But this dump of tools shows just how powerful the NSA's toolkit is -- one made even more dangerous by its apparent ease of use. It makes exploit delivery possible for anyone, not just those with a very specific skillset.

from the this-bad-idea-is-for-your-own-good dept

Last week, we noted how Apple was one of several companies lobbying against a right to repair bill in Nebraska. The bill would make it easier for consumers to repair their own products and find replacement parts and tools, which is generally considered to be a good thing -- especially if the only Apple store is eighty miles away from your current location. But Apple tried to argue that Nebraska's bill would not only make the public less safe (self-immolation everywhere!), but it would also result in Nebraska becoming some kind of "mecca" for nefarious hoodie-wearing ne'er-do-well hackers.

Of course Apple, like most companies, just enjoys a repair-monopoly, which not only allows it to charge an arm and a leg for what very well may be superficial repairs, but helps prop up closed, proprietary ecosystems, hurting customers in a myriad of other ways as well.

It's not just in Nebraska where this conversation is happening (the Nebraska bill just happens to be the furthest along legislatively). Similar bills are also winding their way through New York, Minnesota, Wyoming, Tennessee, Kansas, Massachusetts, and Illinois state legislatures. And in most of these states, the companies lobbying against these laws are using the same disingenuous arguments Apple has been embracing. Usually it's the trifecta of false claims that the bills will make users less safe, pose a cybersecurity risk, and open the door to cybersecurity theft.

Game console makers Nintendo, Sony and Microsoft, long at the forefront of opposing the user right to tinker, fired off a letter last week (pdf) under the banner of the Entertainment Software Association that once again trots out all three bogeymen in taking aim at Nebraska's law:

"We are concerned that legislative Bill 67 would jeopardize consumer safety and security, is unnecessary and compromises intellectual property....Customer safety, security and privacy are fundamental goals in the design of our membership's hardware, software and services...Our free market economy already provides a wide-range of consumer choice for repair with varying levels of quality, price and convenience without the mandates in this legislation."

Note they cite a "free market economy" in the hopes you'll ignore the fact that they've effectively monopolized repair to the detriment of price and convenience. Companies like Sony and Microsoft would certainly prefer that you pay them exorbitant fees to repair what's often their own manufacturing errors that they charge upwards of $200 to fix, but could have been repaired for notably less. Both Sony and Microsoft have also long placed tamper-proof stickers on their game consoles claiming removal of the sticker violates the warranty, even though this technically violates the 1975 Magnuson-Moss Warranty Act.

"After referring me to several different press representatives, Microsoft declined to comment. Sony did not respond to a request for comment. Apple has ignored repeated requests for comment. The ESA declined to comment. In two years of covering this issue, no manufacturer has ever spoken to me about it either on or off the record."

"We won't make as much money if independent, local repair shops can help customers" isn't a very compelling argument. But as usual, buying or hoodwinking a campaign-contribution-soaked Congress with a fleeting understanding of technology isn't particularly hard:

"It's very easy for the manufacturer to stand up there and say no we're the only ones who know how to do it," Kyle Wiens, CEO of iFixit, told me. "Lawmakers get spun stories by lobbyists who say the sky is falling, and it's very easy to kill legislation."..."This is not a case of right vs. left or a fringe interest group pushing it," Wiens added. "Everyone wants to be allowed to fix their stuff, and there's only a few organizations that don't want them to be able to. It's very transparent why manufacturers are against this."

In Nebraska, the right to repair bill was driven by John Deere's "authorized" repair requirements, which forced many regional farmers to pay John Deere an arm and a leg for, again, what in many instances may be relatively inexpensive and simple repairs. It's not only a monopoly over repair -- it's the cornerstone of an adversarial and utterly non-transparent relationship with the consumer. And the fact that the companies taking aim at these legislative proposals aren't even willing to publicly talk about them speaks volumes in and of itself.

from the prior-restraint,-but-for-forever-wars dept

One of severalserviceproviders to sue the government over its gag orders, Microsoft received some good news from a federal judge in its lawsuit against the DOJ. Microsoft is challenging gag orders attached to demands for data and communications, which the DOJ orders is statutorily-supported by the Electronic Communications Privacy Act (ECPA) and, if not, by supposed national security concerns.

As Microsoft pointed out in its lawsuit, the government rarely justifies its secrecy demands and frequently issues gag orders with no endpoint. Microsoft received nearly 2,800 of these gag-ordered requests over an 18-month period, with over two-thirds of them demanding silence indefinitely.

The good news is a federal judge has (partially) waved away the DOJ's motion to dismiss and will allow Microsoft to proceed with its lawsuit, as Politico's Josh Gerstein reports.

U.S, District Court Judge James Robart issued a 47-page opinion [PDF] Thursday allowing Microsoft to proceed with a lawsuit claiming a First Amendment violation when the government restricts internet providers from notifying subscribers about requests for their data.

"The orders at issue here are more analogous to permanent injunctions preventing speech from taking place before it occurs," Robart wrote. "The court concludes that Microsoft has alleged sufficient facts that when taken as true state a claim that certain provisions of Section 2705(b) fail strict scrutiny review and violate the First Amendment."

Section 2705(b) refers to the Stored Communications Act, which allows the government demand notice be withheld under certain circumstances, unless otherwise forbidden to by another section of the same law (Section 2703). Microsoft is looking to have both sections declared unconstitutional, especially given the severe upheaval the communications landscape has undergone in the thirty years since the law was passed.

Microsoft contends that Section 2705(b) is unconstitutional facially and as applied because it violates the First Amendment right of a business to “talk to [the business’s] customers and to discuss how the government conducts its investigations.” Specifically, Microsoft contends that Section 2705(b) is overbroad, imposes impermissible prior restraints on speech, imposes impermissible content-based restrictions on speech, and improperly inhibits the public’s right to access search warrants. Microsoft also alleges that Sections 2705(b) and 2703 are unconstitutional facially and as applied because they violate the Fourth Amendment right of “people and businesses . . . to know if the government searches or seizes their property.”

Microsoft contends that the statutes are facially invalid because they allow the government to (1) forgo notifying individuals of searches and seizures, and (2) obtain secrecy orders that “prohibit providers from telling customers when the government has accessed their private information” without constitutionally sufficient proof and without sufficient tailoring.

The DOJ argued Microsoft didn't have standing to bring this complaint, as its Fourth Amendment rights aren't implicated. Only its customers' are. But the court points out that, if nothing else, the company does have standing to pursue its claims of First Amendment violations.

The court finds that Microsoft has sufficiently alleged an injury-in-fact and a likelihood of future injury. Microsoft alleges “an invasion of” its “legally protected interest” in speaking about government investigations due to indefinite nondisclosure orders issued pursuant to Section 2705(b)... The court concludes that Section 2705(b) orders that indefinitely prevent Microsoft from speaking about government investigations implicate Microsoft’s First Amendment rights.

The court goes on to point out that frequent use of indefinite gag orders certainly appears to be unconstitutional, given that they act as a "forever" application of prior restraint.

The court also concludes that Microsoft's assertions of further civil injuries aren't speculative, as the DOJ claimed. Judge Robart points to the government's own actions as evidence of continued harm to Microsoft's civil liberties.

Microsoft bolsters its prediction by alleging that over a 20-month period preceding this lawsuit, the Government sought and obtained 3,250 orders–at least 4504 of which accompanied search warrants—that contained indefinite nondisclosure provisions. In addition, Microsoft alleges that in this District alone, it has received at least 63 such orders since September 2014. Because these orders have been frequent and issued recently, the Government will likely continue to seek and obtain them. Accordingly, Microsoft’s “fears” of similar injuries in the future are not “merely speculative.”

Unfortunately, the court won't grant Microsoft the standing to represent its users for Fourth Amendment purposes. Judge Robart points to a whole bunch of precedential decisions declaring otherwise, but at least takes a bit of time to discuss how denying Microsoft this opportunity likely means denying several of its users any sort of redress.

The court acknowledges the difficult situation this doctrine creates for customers subject to government searches and seizures under Sections 2703 and 2705(b). As Microsoft alleges, the indefinite nondisclosure orders allowed under Section 2705(b) mean that some customers may never know that the government has obtained information in which those customers have a reasonable expectation of privacy... For this reason, some of Microsoft’s customers will be practically unable to vindicate their own Fourth Amendment rights.

Expect the government to make heavy use of its "national security" mantra as it defends itself in this case. Those magic words have allowed all sorts of civil liberties violations in the past and still tend to move courts to the government's side when deployed in DOJ motions. If the court does side with Microsoft when this is all said and done, it's likely the remedy won't be a restriction on gag orders, but more likely something analogous to the rules that now govern National Security Letters -- periodic review of gag orders by the government and better avenues for raising challenges for companies affected. Then again, the court could simply punt it back to legislators and push them to fix the 30-year-old law whose dubious constitutionality is the source of numerous lawsuits against the federal government.

from the redefining-'seizure' dept

Just south of the Second Circuit Court of Appeal's district, a Pennsylvania (3rd Circuit) federal judge has come to (nearly) the opposite conclusion on law enforcement's access to emails stored overseas. This case deals with two FBI SCA (Stored Communications Act) warrants seeking emails that Google says aren't stored in the United States. Google, however, also says the sought emails could be at any of its data storage sites -- which would include those in the US. It all depends on when it's asked to retrieve the communications.

And there's where this decision parts ways with the Second Circuit, which found that emails stored in an Irish data center weren't subject to US-issued warrants. The court explains [PDF] Google's process for handling user data, which is built for efficiency, rather than what's central to the FBI's demands: efficiency of retrieval in response to law enforcement requests.

Google stores user data in various locations, some of which are in the United States and some of which are in countries outside the United States. Some user files may be broken into component parts, and different parts of a single file may be stored in different locations (and, accordingly, different countries) at the same time. Google operates a state-of-the-art intelligent network that, with respect to some types of data, including some of the data at issue in this case, automatically moves data from one location on Google's network to another as frequently as needed to optimize for performance, reliability, and other efficiencies.

As a result, the country or countries in which specific user data, or components of that data, is located may change. It is possible that the network will change the location of data between the time when the legal process is sought and when it is served. As such, Google contends that it does not currently have the capability, for all of its services, to determine the location of the data and produce that data to a human user at any particular point in time.

Because of the way Google handles data, it theoretically could refuse every US law enforcement request for communications. (It could do the same to foreign requests as well.) This makes Google's case distinguishable from Microsoft's legal battle. Microsoft knew exactly where the stored communications were located. Google says the communications might be anywhere -- in one place upon receipt of a warrant and in another when retrieval efforts begin. As the court sees it, the Second Circuit's ruling would basically make Google completely immune to law enforcement requests.

[I]f the court were to adopt Google’s interpretation of the Microsoft decision and apply such a rationale to the case at bar, it would be impossible for the Government to obtain the sought-after user data through existing MLAT channels.

The "fix," according the Pennsylvania court, is to have Google round up the sought communications in the US, putting them within reach of the FBI's warrants.

In contrast, under this court’s interpretation, Google will gather the requested undisclosed data on its computers in California, copy the data in California, and send the data to law enforcement agents in the United States, who will then conduct their searches in the United States.

Of course, this means compelling Google to do something with its data that it doesn't normally do, which would make it a seizure. And since the data sought is constantly in transit, the court is giving the government the power to step in and alter Google's data-handling. This would obviously be a seizure of data potentially stored (at least temporarily) in foreign countries. To get around the Fourth Amendment concerns this raises -- not to mention the expansion of the US government's power to compel the production of data from foreign servers -- the court decides no seizure actually takes place until the government takes control of the data Google has been ordered to compile.

In contrast to the decision in Microsoft, this court holds that the disclosure by Google of the electronic data relevant to the warrants at issue here constitutes neither a "seizure" nor a "search" of the targets' data in a foreign country. This court agrees with the Second Circuit's reliance upon Fourth Amendment principles, but respectfully disagrees with the Second Circuit's analysis regarding the location of the seizure and the invasion of privacy.

[...]

Electronically transferring data from a server in a foreign country to Google's data center in California does not amount to a "seizure" because there is no meaningful interference with the account holder's possessory interest in the user data. Indeed, according to the Stipulation entered into by Google and the Government, Google regularly transfers user data from one data center to another without the customer's knowledge. Such transfers do not interfere with the customer's access or possessory interest in the user data. Even if the transfer interferes with the account owner's control over his information, this interference is de minimis and temporary.

This is a really weird -- and wrong -- interpretation of the word "seizure." While it's true the FBI won't actually have taken possession of the emails until after Google has gathered them in a California datacenter to make them more Fourth Amendment-compliant (or whatever), the fact that Google has to interrupt its normal flow of data at the government's request would appear to make that initial interruption a "seizure" -- de minimis or not.

In essence, the court is saying the Fourth Amendment doesn't apply to data in transit. The government can compel the collection of overseas data and have the Fourth Amendment applied to it after it's already been gathered and stored locally. The decision makes a mess of the Fourth Amendment cart-horse configuration, but figures this is more acceptable than informing the FBI that its warrants might be useless.

The better conclusion to reach would be the one the Second Circuit reached: if the concern is that the 30-year-old SCA limits law enforcement's ability to demand data from overseas data centers run by US companies, the solution lies with the entity that created it (Congress), rather than the courts. This decision will be appealed and it's safe to assume the Third Circuit Court of Appeals will arrive at the same conclusion.

Even if Congress doesn't "fix" the SCA to make US companies with foreign data centers more responsive to law enforcement demands, cases going forward may start applying the Rule 41 changes that went into effect at the beginning of this year, which greatly expand the jurisdictional reach of US court-issued warrants. As for Google, its system isn't built with law enforcement's needs in mind, nor should it be. It does what works best for it, which is what we expect from private companies. This ruling gives law enforcement a workaround for dealing with the SCA's limits, so some forum shopping should be expected until this decision is (hopefully) overturned.

from the we-need-to-stand-up dept

I've been quite clear how I feel about Donald Trump's awful executive order that places a blanket ban on people entering the US (even if they had valid visas) from 7 countries, including a permanent block on Syrian refugees. Tons of people have been protesting this decision, and multiple courts have ruled against it. There has been some discussion over whether or not the tech industry was really going to stand up against this move, and some of the early statements about the executive order were a bit weak. However, late Sunday night, basically the entire technology industry (plus some companies from other industries as well) signed onto an amicus brief calling the order illegal and unconstitutional (technically, it's a motion asking for permission to file the amicus brief, with that brief attached).

The brief was filed in the Ninth Circuit appeals court, which is one of the first appeals courts considering the executive order, after a federal judge in Seattle issued a nationwide temporary restraining order on enforcing the exec order. On Sunday, the appeals court refused to reverse the lower court, keeping the TRO in place. However, it also gave both parties (the lawsuit itself was filed by the state of Washington) a very quick turnaround time to file written arguments to be considered.

Given that incredibly short time frame, the fact that 97 companies -- including some of the world's largest -- but also some tiny ones, like the Copia Institute (the think tank arm of Techdirt), were able to come together and not only get a detailed amicus brief together, but also get sign on from all of those companies (on Super Bowl Sunday, no less), is impressive. Having been through the process in which amicus briefs with multiple signers has been done before, normally there's lots of hemming and hawing from different companies and nitpicking over certain choices. It takes a lot of effort. Update: Another 30 companies have signed on as well.

But this issue was so important and so core and fundamental to our basic values, that basically the entire industry came together and signed onto this. You name the company, and it's probably signed on. There are the big guys: Google, Facebook, Microsoft and Apple (despite a false Washington Post article that claimed none of them had signed on). There are lots of other huge names as well, including Twitter, Snap, Uber, Airbnb, Lyft, Dropbox, Cloudflare, Box, eBay, GitHub, Kickstarter, Indiegogo, Medium, Mozilla, Patreon, Paypal, Pinterest, Reddit, Salesforce, Spotfy, Stripe, Wikimedia, Yelp, Y Combinator and many, many more. Update: Among the notable companies in the "late" sign on, were SpaceX, Tesla, Slack, Pandora, Adobe, HP, Evernote, Udacity and more...

I highly recommend reading the full amicus brief -- which makes an economic argument, a moral argument and a legal argument all wrapped up in one.

Immigrants make many of the Nation’s greatest discoveries, and create some
of the country’s most innovative and iconic companies. Immigrants are among our
leading entrepreneurs, politicians, artists, and philanthropists. The experience and
energy of people who come to our country to seek a better life for themselves and
their children—to pursue the “American Dream”—are woven throughout the social,
political, and economic fabric of the Nation.

For decades, stable U.S. immigration policy has embodied the principles that
we are a people descended from immigrants, that we welcome new immigrants,
and that we provide a home for refugees seeking protection. At the same time,
America has long recognized the importance of protecting ourselves against those
who would do us harm. But it has done so while maintaining our fundamental
commitment to welcoming immigrants—through increased background checks and
other controls on people seeking to enter our country.

[....]

The Order effects a sudden shift in the rules governing entry into the United
States, and is inflicting substantial harm on U.S. companies. It hinders the ability
of American companies to attract great talent; increases costs imposed on business;
makes it more difficult for American firms to compete in the international marketplace;
and gives global enterprises a new, significant incentive to build operations—
and hire new employees—outside the United States.

The Order violates the immigration laws and the Constitution. In 1965, Congress
prohibited discrimination on the basis of national origin precisely so that the
Nation could not shut its doors to immigrants based on where they come from.
Moreover, any discretion under the immigration laws must be exercised reasonably,
and subject to meaningful constraints.

There's much more in the full brief, and hopefully the court allows it and recognizes how momentous this is. I've never seen anything that so many tech companies have gotten behind (including things like SOPA), and this happened so fast that it is literally unprecedented. A whole bunch of people put in a tremendous effort to actually get this done (including more than a few having to miss the Super Bowl to get this done...). Andy Pincus from Mayer Brown deserves a specific shoutout for being the main lawyer putting the brief together.

We shall see what happens from here, but having basically the entire tech industry rise up in a single voice to say that this order is not right is nice to see. In this day and age, it's easy not to speak out and to just sit on the sidelines. But this is important, and when it mattered all of these companies spoke out.

from the go-bother-some-legislators,-kid dept

After being handed a loss in its judicial quest to force Microsoft to hand over data held in Ireland, the DOJ asked the Second Circuit for a rehearing of its July decision. At the center of the case is the DOJ's belief that it should be able to force US companies to turn over data/communications contained in overseas servers.

The government wants to have it both ways with its warrants for electronic data. On one hand, it analogizes data demands as being no different than digging through a filing cabinet found in a house it's searching. It argues that data held in servers/devices should be treated no differently than the personal papers the founding fathers tried to protect with the Fourth Amendment.

Then it argues that even if the "filing cabinet" isn't located on the premises it has a warrant to search, it should be able to access the contents of that cabinet. This, from Microsoft's motion to dismiss, explains what the government is truly asking for, using the sort of physical world comparisons the DOJ understands.

The Government cannot seek and a court cannot issue a warrant allowing federal agents to break down the doors of Microsoft's Dublin facility. Likewise, the Government cannot conscript Microsoft to do what it has no authority itself to do -- i.e., execute a warranted search abroad.

In its original decision, the Appeals Court pointed out that Congress clearly didn't intend the wording of the Stored Communications Act to cover foreign data centers, no matter what sort of twisted, hybrid paperwork the feds served Microsoft in hopes of routing around territorial limitations. The court noted, as it often does, that if the DOJ wanted its half-warrant/half-subpoena to both skirt mutual assistance treaties and the court's interpretation of the SCA, then it needed to approach Congress directly and get the SCA updated/amended.

And, indeed, the DOJ has done exactly that. It's seeking legislation specifically targeting the terroritorial limitations in the SCA that prevent it from doing what it wants to. But in the meantime, the DOJ thought the court should take another swing at it. The Second Circuit has decided to pass on this opportunity. But it has issued an affirmation [PDF] of its original ruling, with some additional dissenting voices appended.

An equally divided federal appeals court refused to reconsider its landmark decision forbidding the U.S. government from forcing Microsoft Corp and other companies to turn over customer emails stored on servers outside the United States.

Tuesday's 4-4 vote by the 2nd U.S. Circuit Court of Appeals in Manhattan let stand a July 14 decision that was seen as a victory for privacy advocates, and for technology companies offering cloud computing and other services worldwide.

But the dissenting judges said that decision by a three-judge panel could hamstring law enforcement, and called on the U.S. Supreme Court or Congress to reverse it.

"The panel majority's decision does not serve any serious, legitimate, or substantial privacy interest," Circuit Judge Jose Cabranes wrote in dissent.

The opinion doesn't tell the DOJ anything it didn't tell it previously, other than that the court is evenly divided. The decision reiterates points the DOJ didn't like the first time around. And, once again, it directs the DOJ's efforts at legislators, while also pointing out the dissent's similar willingness to interpret the law in ways Congress never intended.

The position of the government and the dissenters necessarily ignores situations in which the effects outside the United States are less readily dismissed, whichever label is chosen to describe the “focus” of the statute. For example, under the dissents’ reasoning (as we understand it), the SCA warrant is valid when (1) it is served in the United States on a branch office of an Irish service provider, (2) it seeks content stored in Ireland but accessible at the U.S. branch, (3) the account holding that content was opened and established in Ireland by an Irish citizen, (4) the disclosure demanded by the warrant would breach Irish law, and (5) U.S. law enforcement could request the content through the MLAT process. This hardly seems like a “domestic application” of the SCA.

Rather, we find it difficult to imagine that the Congress enacting the SCA envisioned such an application, much less that it would not constitute the type of extraterritorial application with which Morrison was concerned. Indeed, calling such an application “domestic” runs roughshod over the concerns that undergird the Supreme Court’s strong presumption against extraterritoriality, and suggests the flaw in an approach to the SCA that considers only disclosure.

The DOJ's flawed approach is also its most common approach. It seems genuinely baffled/irritated when its requests -- and its interpretation of the law -- are challenged. It views laws that don't allow it to do what it wants to do as broken. Rather than view limits in laws as guidance to help keep it aligned with Constitutional rights, it tends to do what it wants and let the courts sort it out.

Sure, the judicial process isn't exactly speedy, but it has better odds and a faster turnaround time than guiding legislation through multiple Congressional hoops. And it will continue to play the odds because not every service provider has the resources or legal acumen to fight back against unlawful demands.

from the hoover-up-ALL-the-data dept

For the last few years, Microsoft has been under fire because its Windows 10 operating system is unsurprisingly chatty when it comes to communicating with the Redmond mothership. Most of the complaints center around the fact that the OS communicates with Microsoft when core new search services like Cortana have been disabled, or the lack of complete, transparent user control over what the operating system is doing at any given time. Microsoft has since penned numerous blog posts that claim to address consumer concerns on this front -- without actually addressing consumer concerns on this front.

This week, Microsoft penned a new blog post claiming that the company has been listening to annoyed customers and privacy activists, and will finally be making substantive changes to Windows 10 privacy settings to give users more control. Among them will be new operating system-level privacy controls that make consumer options more granular. But Microsoft also says it is building a new privacy dashboard the company says will be doled out to Windows Insiders in an upcoming build, and will look something like this:

Microsoft says the company will simplify the operating system's diagnostic data collection levels, so that it's clearer what telemetry data is being sent back to the company’s servers. As it stands, Windows 10 currently has three snooping levels, but in the Creators Update (expected sometime in the Spring) there will be just two: an option to switch between "basic" and "full" data collection levels, depending how much invasive snooping you like with your morning coffee. Said basic tier is the lowest the settings will go, and includes collection Microsoft claims is necessary for the functioning of the OS. Basic includes:

"Data that is vital to the operation of Windows. We use this data to help keep Windows and apps secure, up-to-date, and running properly when you let Microsoft know the capabilities of your device, what is installed, and whether Windows is operating correctly. This option also includes basic error reporting back to Microsoft."

The problem is that Microsoft has often hidden behind claims that it has to collect a lot of this data or the operating system won't work, and there's still no option to eliminate the collection of telemetry data completely. "Full" data collection, in contrast, will collect everything that the basic setting covers, as well as "inking and typing data." That can include sending Microsoft the document you were working on that caused a system crash, and giving Microsoft support permission to access the OS remotely for troubleshooting.

The entire goal, Microsoft claims in the post, is to make consumer privacy easier to understand:

"When it comes to your privacy, we strive to make choices easy to understand while also providing clear visibility and control over your data. We believe finding the right balance is one of our most important tasks in delivering great personalized experiences that you love and trust."

We'll have to wait until Spring to see if these changes address concerns of the EFF, which last August criticized Microsoft's malware-esque forced upgrade tactics and its refusal to answer consumer privacy inquiries in a straightforward fashion. Microsoft's also trying to appease French regulators, who last summer demanded that Microsoft "stop collecting excessive user data" and cease tracking the web browsing of Windows 10 users without their consent. Of course if having total, granular control over how chatty your OS is over the network is your priority, not using Windows whatsoever probably remains your best option.

from the self-sabotage dept

We've talked a lot about how Microsoft managed to shoot Windows 10 (and consumer goodwill) squarely in the foot by refusing to seriously address OS privacy concerns, and by using malware-style tactics to try and force users on older versions of Windows to upgrade. While Microsoft's decision to offer Windows 10 as a free upgrade to Windows 7 and Windows 8.1 made sense on its surface, the company repeatedly bungled the promotion by making the multi-gigabyte upgrade impossible to avoid, which was a huge problem for those on capped and metered broadband connections.

But at times Microsoft made things even worse by engaging in behavior that would make even the lowest scumware peddlers proud. Like that time the Redmond-giant began pushing Windows 10 upgrade popups that pretended to let users close the popup dialogue by pressing X, only to have that begin the upgrade anyway against the user's wishes.

Between this and the company's outright refusal to let users control how and when the operating system phoned home, Microsoft managed to take a relatively successful OS launch and turn it squarely on its head -- largely by ignoring some of the most basic principles of design, customer service, and public relations.

Now that the Windows 10 upgrade push is long gone, the company actually got close to acknowledging that its behavior went too far. Speaking on the Windows Weekly podcast, Microsoft’s Chief Marketing Officer Chris Capossela finally acknowledged that the company mishandled the entire forced upgrade (though he falls short of apologizing or addressing the parallel privacy concerns):

"We know we want people to be running Windows 10 from a security perspective, but finding the right balance where you’re not stepping over the line of being too aggressive is something we tried and for a lot of the year I think we got it right, but there was one particular moment in particular where, you know, the red X in the dialog box which typically means you cancel didn’t mean cancel.

And within a couple of hours of that hitting the world, with the listening systems we have we knew that we had gone too far and then, of course, it takes some time to roll out the update that changes that behavior. And those two weeks were pretty painful and clearly a lowlight for us. We learned a lot from it obviously."

Except Microsoft didn't really "get it right," and users made that abundantly obvious. And whether Microsoft actually "learned a lot from it" really isn't clear, since a refusal to let users truly control how the OS works (whether it's preventing the OS from being quite so chatty or letting users dictate upgrade schedules on their own terms) has been somewhat of a recurring theme since launch. That "we know what's best for you" mentality has been bone-grafted to the company's DNA for some time, and we'll likely have to wait until Windows 11 to see if any lessons were actually learned.